If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I'll put this as clearly as I can. Local units are currently using a plethora of various shoddy web solutions, ranging from outdated and vulnerable free scripts, modified versions of existing software that never went though the proper auditing and ending with solutions that are completely inappropriate for the job.

That is your first problem then, and is typical of bottom up design.

You need to adopt a structured analysis and design methodology (SSADM, PRINCE2 or whatever takes your fancy) if you want a coherent and cohesive solution that would facilitate security.

The only other thing i can think of is the Cloud computing...where the cloud never gets compromised

Yes, there does seem to be 1970s,1980s mainframe thinking here. Dumb terminals, flat file architecture and all your eggs in the one basket

Certainly not a military solution or even defence sector, as there is an implied requirement for all units to have remote access, and you are presenting a single target for a one shot kill.

My experience in the defence sector indicates that there is a need for two distinct types of network:

1. The General Network. This basically handles unclassified material with various subdivisions for LAN, WAN, and internet etc. It is secured as all networks should be, but does not permit access to anything rated as classified.

2. The Secure Network. This handles all classified material and is only accessible on site (where physical security can see that you are not under duress). No external connections are permitted, nor is connection to the General Network. Connectivity is wired not WiFi.

Basically, if a site or command centre is compromised then only data pertinent to it, is compromised. You would have to roll-up all locations to get the big picture, and to prevent re-grouping.

focus is put on maximum security, privacy, constant auditing and strict limitation of access. Individual units are incapable of properly securing their data by their own. Instead of a number of sloppy and potentially dangerous solutions the idea is to replace all of those by one system that implements the level of security otherwise not attainable by individual units alone.

If your system is fundamentally secure, then it doesn't matter how many implementations of it you have; they are all equally secure from a systems viewpoint, provided that they have been deployed correctly.

On the other hand permanently and irrecoverably erasing the data present on dozens of different servers, as it is today, different software and hardware configurations by the appointed people, whose computer skills may often be insufficient, is a recipe for disaster - assuming there's still power to wipe anything off some remote commercial server.

1. Hardware and software configurations should be irrelevant. We are talking about wiping hard drives here.

2. If people's computer skills are insufficient, then it is only surpassed by the inadequacy of your personnel selection process. Bloody well train them!!! Anyways just how long do you think it takes to train someone to wipe a hard drive, or pull it from a server and consign it to a furnace, a vat of acid, slice it with a blowtorch or zap it with an electro magnet? I hope that you will notice that only two of those require "power" and there are such things as portable generators and UPS systems these days.

In case it's still not perfectly clear: The server and database is a bureaucratic crutch, not a combat implement. Never was meant to be one. If you'd read my previous post with a bit more attention you'd realize that I stated that in the event of a SHTF

Oh! I read your post with very great attention, and I also read between the lines, given that the writing was in plain text if not brightly coloured capital crayons. This is not about security, this is about an internal power struggle where someone is trying to gain control of, and wrest autonomy from, remote units .

I'm not at liberty to discuss the specifics of how would or how should particular situations be addressed. Neither am I the person to make those calls nor is this a place where I would engage in debates of this kind.

You miss my point; I am not interested in specifics at all, just in general principles, and then only insofar as they would impact on data sensitivity.

Personal data that is out of date is pretty useless so , if when the excrement hits the venturi propeller, everyone heads for the hills, so to speak, the locational and contact information will no longer be sensitive?

This can have a significant impact on your database design, if you use a relational database rather than a flat file one. With an RDB you can easily segregate sensitive information from that which is not, and fine tune your security procedures. It would also provide an opportunity to spread disinformation to any potential hostile, particularly if they only get to see part of the database?

As for specifics: "special screws"????????? total waste of time if you look at the equipment that fire and rescue use to free trapped people.

Nowhere have you mentioned a strategy for the destruction of backup copies, at least one of which should be held at a remote location. Backups are almost as dangerous as the data on your live systems.

With absolutely no outside funding whatsoever it's kind of tricky to compete with the actual military. With all spending coming from individual member's pockets directly to whatever training, equipment or purpose is needed, it's much better for it to be spent on a dress uniform and matching boots or whatever specialist training than pouring it into some dizzyingly complex form of distributed darknet. I'll leave projects like that up to the CIA. Their yearly budget for floor cleaning and sanitation is probably way higher than all our expenses combined in three.

You are right that centralization it's an opportunity for a one-shot kill. If it would mean target destruction, our job has just been done for us. It's acquisition that's the concern.

1. Hardware and software configurations should be irrelevant. We are talking about wiping hard drives here.

If you find that an easy task, go ahead and try to convince me that you could easily go and wipe the HDD(s?) your yahoo geocities* website is on in less than 3 hours in the event of a country-wide blackout. No, go right ahead, I'm listening.

* I know geocities is down, just giving an example.

2. If people's computer skills are insufficient, then it is only surpassed by the inadequacy of your personnel selection process. Bloody well train them!!!

The individuals who happen to be computer specialists aren't the most likely candidates to pass selection in the first place, even though the most motivated ones do manage. Expecting every meathead marine to effortlessly read through and analyze an unencrypted packet dump is about as realistic as training everybody not to reveal their identities without enforcing, say, Tor or similar.

everyone heads for the hills

It was a good idea then, now times have changed. Preliminary tests and simulations are clear on how technologies like FLIR make asymmetric warfare of the type you're describing terrible choices.

As for special screws - sure, but you need the ram chips in one piece, and once the power goes out there's limited time to grab the keys. I wouldn't expect the hostile party to be prepared for that kind of security.

Edit: Backup-wise no risk can be taken. RAID-2 to protect from media failure and nothing more.

The entire design is going to have to be yours, and you are going to have to set up security at each level. You will have to figure out how they will access the central location securely, and as nihil said, control access to only what they need.

But for the server, the easiest solution is to just encrypt the entire server ( OS included ).
This won't stop a hacker from breaching the system ( you need other measures for that because while running everything is unencrypted ) but once it is powered down they will need the passphrase or token to retrieve the data.
If the server location is manned, then with something like DM-Crypt with LUKS, you can simply wipe the header information on the partitions to make the data mostly unrecoverable ( though the information could be obtained from any backups so you would have to protect them as well. ) That would solve the problem of time to wipe the drives; a script could be written for that. Then included in the script ( if there is time ) overwrite the entire partitions just to make sure.

The server would need an adequate UPS, plenty of memory, and the memory would need to be verified prior to using in such a scenario to prevent corruption of data while in use.

Again, there is no one complete solution. A stealth break-in to an unmanned facility would be bad!

If using a physical token and having it in the only available usb, unplugging it would start a wiping script. Who cares if they have the passphrase on the usb if there are no partitions that use it! ( might be a chicken and the egg problem here, but that would have to be worked out. ) Problem with this, if they physically kill the power first, then clone the drives and work off cloned drives they have the token.

But, if you do not use a physical token, then setting up a script ( after locking down the case ) that any device plugged into say, a usb, would also trigger a script to wipe the LUKS header info and then overwrite the drives may do what you want. Or a case open alarm would do the same thing. But if they clone the drives ( as above ) they would still need the passphrase from someone who knows it.

I have never tried to use these scenarios before, just bouncing ideas.

And I take exception to the phrase meathead marine !!

Using something like TrueCrypt you could possibly have a partition inside a partition. If the wrong passphrase is given ( or you enter it on purpose ) it unlocks the both inner and outer partitions, and when the inner is mounted it auto runs a script and wipes them. I don't know how quick that can be done as I have not used TrueCrypt in quite some time.
Again, just ideas.

" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

This guy must be from the U.S. Government! Sounds like a project manager I used to work for.

Databases are like news papers in that once it is written, the data is presumed to be the truth. Ever seen a proof of concept in production? Or wondered why the phrase "Don't believe everything you read" came to be?

Plausible deniability? DUDE in order for that to work, one has to prove, not only that one didn't know, but that one found out the truth was withheld - on purpose, without malicious intent. Including Keeping your ass out of jail. It's a neat Hollywood term, legally it's a farce

Want a DB. Easy, create an Amazon account and spin up a few servers. Need to delete the data. Stop the servers and delete the instance. You can have your servers run and not be backed up. SSL and Domain registration can also be handled at a very low cost.

There are various encryption tools available for the E2C platform and I believe IIS now salts it's HSA256 hash if you set up IIS correctly.

Deadman switches for software logic bombs are also good ... such that if not reset by one of X individuals in X hours, the thing blows. Accessing the server in time of communications blackouts means POOF

the full encryption as well ... so power loss will help protect that, with the addition of say a USB Dongle in an acid well ... again. power loss equals USB dongle loss.. so the system couldn't unscramble.

Then you have to use procedural replacments ... every X days replace/reset passwords and keys, usb dongle attached to a string that lowers into the acid bath, like winding a grandfather clock.. chains & weights etc..

If you find that an easy task, go ahead and try to convince me that you could easily go and wipe the HDD(s?) your yahoo geocities* website is on in less than 3 hours in the event of a country-wide blackout. No, go right ahead, I'm listening.

I do hope that you are joking there? if you are storing these data on a public domain computer you have already lost.

Firstly, you would not be able to wipe the drive(s) as you wouldn't even know which they were, let alone have admin rights to them. That is sysadmin rather than webadmin of course. And they keep backups as well, so it would be a waste of time.

Three hours seems rather excessive for a computer under your own control, and for which you would have backup power. Anyways that's why I suggested a distributed relational database. All you need to wipe is the sensitive data, not all the usual website crap, which shouldn't be anywhere near your sensitive data systems.

Also, just how much sensitive data do you have.........a while back a UK insurance company lost a laptop with about a million personal records on it..........do you have a million members? I doubt it And a laptop of that era probably had no more than a 250MB HDD......which would have the OS, Apps, recovery partition and whatever on it as well.

I think that you guys should really start with some serious contingency planning, or you will end up with the tail wagging the dog.

In all probability you will see that the excrement is about to hit the Venturi propeller long before it happens. You should have days rather than hours to implement "plan A" which is to erase the sensitive data in an orderly fashion.

A good product for this would be DBAN (Darik's Boot And Nuke) which wipes whole drives or "Eraser" which lets you create a DBAN medium and allows selective wiping as well. I would suggest both, so that you wipe obsolete data as you go along.

OK, there is no real security issue with obsolete data (or it wouldn't be obsolete) but if it is in the same tables as current (sensitive) data, then it prolongs the wiping process. LINKS:

I would recommend that you conduct some testing to see just how long it would take to wipe your sensitive data.

I suppose that "plan B" is the scenario where you are not warned in advance? I that case you want rapid destruction I suppose? There are a variety of methods that have been discussed, and I don't see legality coming into it if your nation is now in the hands of a hostile regime. In that situation legality comes in 9mm Parabellum, not from the statute books.

There is an intermediate strategy in which you remove the HDDs and get them offsite to dispose of at your leisure. Do replace them with encrypted drives full of garbage...........it would take anyone some time to spot the switch

Also, don't underestimate the enemy..............a standard military dogma I would have thought. If they have people smart enough to pull data from the RAM they WILL bring the right equipment to get into the case A lot of servers have locks, metal hoops and stuff, If only to stop people stealing them or their components, so it will hardly be a surprise, and might only serve to slow down your disposal process.

And the $64,000 question comes in two parts:

1. What makes you lot think that you are important enough to bother about, over and above the vastly greater number of regular and reserve personnel?

2. If any of you actually have a military background other than a dishonourable discharge that you have somehow managed to keep quiet, your information will be with employers, employment agents, military records and God knows where else. In the scenario you seem to be suggesting, anybody with a military background is going to be suspect, or none at all. I would guess that the only people with increased risk would be your members with no military background, and hence, no record.

In other words, what makes you think that a "hostile force" would be in the least bit interested, particularly as their most pressing requirement would be how to deal with your allies, NATO, the UN or whoever.............we're not talking about Atlantis here are we?

It would seem to me that the only plausible threat would be from your own law enforcement and/or national security forces, as only they would be in a position and capability to mount any viable form of surprise attack. As I suggested, I doubt if they would need to. If they saw you as a threat they would have infiltrated and mounted surveillance long before.

Are you really suggesting that your intel is that poor that you would not have sufficient warning to wipe, destroy, or remove your drives if the attack were external. If that were the case then you would be doing your nation a favour as your regular forces and agencies would be forwarned.

Incidentally, it takes me about 20 seconds to remove two 1TB drives from a computer..................without "special screws" of course..............speaking of which, what are you going to do about the screwdriver?

BTW, I have a tube of stuff called "liquid metal".............it sets in a few minutes to 80&#37; of the strength of mild steel, I would just use something like that to "pad" the fit to a tool that I did have.